httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject MSIE and auth. realms
Date Sat, 18 Apr 1998 07:20:19 GMT
Guys if this is true then it's worth a note to bugtraq.  I want to put it
in known_client_problems but it's such a serious problem that it's foolish
for me to write about it without actually trying the clients myself to
prove the points I'd write.  So if someone wants to give me a breakdown
such as what versions and the exact exploits I'll write it up... or maybe
you want to write it up and add it :) 

Dean

---------- Forwarded message ----------
Date: Mon, 9 Mar 1998 14:25:28 -0700 (MST)
From: Marc Slemko <marcs@worldgate.com>
To: Apache - BYOC <new-httpd@apache.org>
Subject: MSIE and auth. realms
Reply-To: new-httpd@apache.org

Someone in a post to a newsgroup said that MSIE would treat two servers on
different ports on the same host as being the same server, ie. cached auth
for a realm on a server on one port will be sent to a server on another
port requesting that auth.

Combine that with a public (eg. University) system and IE caching
passwords on disk, and you come up with auth being useless.

Is what they said true, or are they doing something wrong like having both
saved to disk but not realizing it?




---------- Forwarded message ----------
Date: Tue, 10 Mar 1998 09:10:19 +0100 (CET)
From: Dirk-Willem van Gulik <dirk.vangulik@jrc.it>
To: Marc Slemko <marcs@worldgate.com>
Cc: Apache - BYOC <new-httpd@apache.org>
Subject: Re: MSIE and auth. realms
Reply-To: new-httpd@apache.org



On Mon, 9 Mar 1998, Marc Slemko wrote:

> Someone in a post to a newsgroup said that MSIE would treat two servers on
> different ports on the same host as being the same server, ie. cached auth
> for a realm on a server on one port will be sent to a server on another
> port requesting that auth.
> 
> Combine that with a public (eg. University) system and IE caching
> passwords on disk, and you come up with auth being useless.

No is true; and some v3's also treat a realm "" as matching any realm and
thus hand out passwords left, right and center. We ran in this recently
with some schools expected to having old equipment and where forced to
skip the vhosts and use different IP addresses. (Of course three weeks
later they went to netscape.. :-( ) 

Dw. 




---------- Forwarded message ----------
Date: Tue, 10 Mar 1998 09:27:30 +0100 (CET)
From: Dirk-Willem van Gulik <dirk.vangulik@jrc.it>
To: Marc Slemko <marcs@worldgate.com>
Cc: Apache - BYOC <new-httpd@apache.org>
Subject: Re: MSIE and auth. realms
Reply-To: new-httpd@apache.org



On Tue, 10 Mar 1998, Marc Slemko wrote:

> And people have trouble understanding why I often think the weakest link
> in Internet commerce (aside from the user) is the user's software.  Sigh.
 
> That is very broken.  What it means is that any hostname that requires
> private auth can't allow any users on it to run anything, period.  Sheesh.
> Yea, you still have to get the clients to go to your page to steal it, but
> that can be easy.
 
Ah well, combined with a bit of samba code you can suck empty their
password caches anway. But no seriously; we found that explitly setting
different realms works fine. Make sure they are different in the first few
chars.  (But if you switch on printing of the user/pwd combo IE passes
voluntarily (i.e. not problemt by an AuthReq) then you might be surprized
sometimes. I found that usefull for tracking down the problems.) 
Dw. 



Mime
View raw message